Cross Country Universitys Caregiver Safety Series

The HIPAA Privacy Rule and

The Health Information Technology for
Economic and Clinical Health Act of 2010
Definitions
HIPAA Standards govern the portability and privacy of medical information
Healthcare workers and organizations rely heavily on the sharing of patient information. As the
rapidly growing trend toward the electronic sharing of that information continues, the
healthcare industry needs standards that enable fast and accurate transmission of that
information.
However, as patient information becomes more portable (easy to share), the more difficult it
is to protect the privacy of that information. Therefore healthcare workers, organizations, and
consumers are increasingly concerned about patient privacy.
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA
(hip' uh), was enacted to address these issues. Still in progress are HIPAA Standards that will
establish a format for the fast and accurate exchange of health information data, and for
maintaining the security of that information.
One of the HIPAA Standards already in effect, The Privacy Rule, establishes certain
regulations that protect the privacy of patient information, gives patients greater
access to their own health care information, and gives patients more control over how that
information is shared.
Covered entities must comply with the HIPAA Privacy Rule
The Privacy Rule is a HIPAA Standard that protects the privacy of patient information. As of
April, 2003, all healthcare organizations must be in compliance with the Privacy Rule. As a
result, all medical information that is created, used, or disclosed by a covered entity must be
kept private and secure. A covered entity includes any of the following:

Health Care Provider

A provider of medical services that bills for services or is otherwise paid for health care
that it delivers
Health Plan
An individual or group health plan that provides or pays the cost of medical care
Healthcare Clearinghouse
A public or private entity, such as a billing service, re-pricing company, community
health management information system, or community health information system,
that serves as a go-between for the exchange of information between two or more
covered entities
Business Associate
A person or organization who provides services within a Health Care Provider
organization, but that is not part of the organization. The Business Associate would
have access to Protected Health Information (PHI). Examples include organizations
that provide Physical Therapy services for a hospital, or medical transcription services
used by a physician's office.
All employees of covered entities must comply with the HIPAA Privacy Rule
when they gather, store, and transmit healthcare information. Failure to follow
HIPAA regulations can result in punitive fines for health care providers and/or
individuals involved.

Page 1 of 4
Copyright, 2010, Cross Country University.

Cross Country Universitys Caregiver Safety Series

Protected Health Information is information that is individually identifiable
The Privacy Rule protects the privacy of all Protected Health Information (PHI). PHI is
individually identifiable health information that is gathered, stored, or transmitted on paper,
orally, or by electronic or any other media. PHI does not include individually identifiable health
information in education records and in employment records held by a covered entity in its
role as an employer.
Individually identifiable health information is health information that specifically identifies the
individual, or is information that could reasonably be expected to identify an individual, even if
the individual is not named.
Example:
Mary Smith is the only 50-year-old patient with a diagnosis of lung cancer at XYZ Hospital.
The following statement DOES NOT provide individually identifiable health information about
Mary Smith and is therefore not PHI: There are presently 7 persons with a diagnosis of lung
cancer at XYZ Hospital.
The following statement DOES provide individually identifiable health information: There is a
50-year-old woman with lung cancer at XYZ Hospital.
Though the second statement does not mention Mary Smith by name, it is PHI because Mary
Smith is the only person who fits the description.

Compliance
Using and disclosing protected health information
Without a signed or verbal authorization from the patient, Protected Health Information (PHI)
can be used and disclosed ONLY:

To individuals for treatment, payment, or healthcare operations

To those within the organization who require the information to carry out their job
responsibilities
To other covered entities who need the information to provide treatment or for billing
purposes
To law enforcement agencies when needed for legal purposes. This includes coroners
and medical examiners
to public health officials
If needed for Workmen's Compensation
If needed to stop serious threats to health and/or safety
If needed for charges of fraud or abuse
With a valid authorization by the individual patient

When providing PHI, use the Minimum Necessary Rule. That is, provide only the least amount
of information that is needed.
This Minimum Necessary Rule does NOT apply to:

Information shared with other health care providers for treatment purposes;
healthcare providers may require the entire record for treatment
Information requested by the individual
Information required by law

Page 2 of 4
Copyright, 2010, Cross Country University.

Cross Country Universitys Caregiver Safety Series

With a verbal authorization from the patient, PHI can be disclosed to family members and to
friends identified by the patient, and it can be included in a facility directory (for example,
Patient Information may provide the patient's room number to callers). The patient also has
the right to place restrictions on the amount of information to be given out.
A written patient authorization is required to use or disclose PHI for any other purpose, such
as marketing or research.
Protected Health Information that can be disclosed does NOT include psychotherapy notes.
The patient must give specific authorization for psychotherapy notes to be disclosed except:

To
To
To
To

carry out treatment, payment, or healthcare operations

the originator of the notes so that treatment can be provided
students who are training within the facility, to improve counseling skills
use as a defense if the individual has brought a suit against the agency

A Note about Psychotherapy Notes:

The first bullet item above seems to indicate that psychotherapy notes may be addressed the
same as any other PHI. However, in practical application, psychotherapy notes are held to a
higher standard of privacy and employees must be aware of their organization's specific
policies regarding the privacy of these notes. As a rule of thumb, without the patient's written
authorization, the notes cannot be used by, or shared with, anyone other than the attending
physician.
Healthcare organizations inform patients about the Privacy Rule
HIPAA requires that a notice of the organization's privacy practices be given to each individual
receiving services. The purpose of the notice is to inform the individuals how their health
information may be used and shared, and how they may review this information.
This Notice of Privacy Practices needs to be prominently posted in public areas and also needs
to be available for patients to take with them. If the organization has a website, there must be
a copy of this notice on the website, as well as a copy available for downloading.
Patients sign that they have received the information. Explanatory documentation is provided
if it is not possible to get the patient's written acknowledgement that the information was
received.
Some of the required sections of the Notice of Privacy Practices include:

A detailed description of how the information may be used for treatment, payment,
and healthcare operations
A description of circumstances in which protected health information may be disclosed
without the individual's written permission
A statement that other uses and disclosures will only be made with written
authorization from the individual, and that the authorization can be withdrawn
A statement of the individual's rights with respect to protected health information, as
well as an explanation of how the individual can exercise those rights.
A statement that the organization is required by law to maintain the privacy of
protected health information and to provide individuals with notice of its legal duties
and privacy practices with respect to protected health information
A statement that individuals have the right to complain to the organization and to the
Secretary of Health and Human Services (HHS) or any officer or employee of HHS to
whom the authority involved has been delegated if they believe their privacy rights
have been violated
A brief description as to how the complaint may be filed

Page 3 of 4
Copyright, 2010, Cross Country University.

Cross Country Universitys Caregiver Safety Series

A statement that there will be no retaliation towards the individual for filing a
complaint
The name, title, and telephone number of the person or office to contact for further
information. It must also contain the effective date of the notice

Rights of patients
HIPAA allows individuals certain rights as to how their Personal Health Information is used and
accessed.
Individuals have the right to restrict the use and disclosure of their information.
They can request that information be restricted in some manner when disclosed to others for
the purpose of treatment, payment, or healthcare operations.
However, the health care organization, or other covered entity, does have the right to not
agree to this restriction.
Example: The patient could request that the organization not share his diagnosis with his
health insurance agency. Since this would affect the way in which the organization will be
reimbursed for services, the organization does not have to agree to this.
Individuals have the right to access their own Personal Health Information
Individuals have the right to inspect and receive a copy of their PHI with the exceptions of
psychotherapy notes and information that has been gathered in anticipation of civil, criminal,
or administrative action.
Individuals have the right to amend their Personal Health Information
Individuals can request that the organization change any PHI that it maintains in record sets.
The organization can require that these requests for change be in writing and that the
individual explain the reason for the change.
Individuals have a right to have an account of access to their PHI
Individuals have a right to know the identities of those persons or agencies (Including
Business Associates) that have accessed their PHI for 6 years PRIOR to the request.

The Health Information Technology for

Economic and Clinical Health Act of 2010
The American Recovery and Reinvestment Act of 2009 became Federal law on February 17,
2009. Part of this law, called the Health Information Technology for Economic and Clinical
Health Act, or the HITECH Act was created to accelerate implementation of Electronic Health
Records (EHR).
Incentives are provided to healthcare entities and practitioners in the form of Medicare and
Medicaid reimbursement for the purchase, modernization, integration, and meaningful use of
HER.

End of HIPAA Lesson

Page 4 of 4
Copyright, 2010, Cross Country University.